Legal claims defining the scope of protection, as filed with the USPTO.
1. An authentication system for use with personal electronic identity gadgets of at least one user of services, wherein the said personal electronic identity gadgets are configured to authenticate to a main service provider (for all personal electronic identity gadgets of this service user) and are configured to trigger synchronization of data storages of service providers; wherein the said system is characterized in that it comprises a data storage of an authentication system server component of at least one main service provider, wherein the said data storage is synchronizable with data storage(s) of server component(s) of at least one other service provider, either directly or via personal electronic identity gadgets, and wherein the said authentication system server component of the at least one main service provider is configured for mapping personal electronic identity gadgets to the account of the user of services; a data storage of an authentication system server component of at least one other service provider that is synchronizable with the data storage of the authentication system server component of the at least one main service provider, either directly or via personal electronic identity gadget; wherein: the data storage of the authentication system server component of each service provider contains, for each personal electronic identity gadget registered to this provider for the said user of services, a record with data for authenticating this personal electronic identity gadget, the data storage of the authentication system server component of the main service provider contains identifiers assigned to personal electronic identity gadgets and/or to users, wherein for each personal electronic identity gadget of a user and/or for each user, a separate identifier is assigned for each service provider for whom at least one personal electronic identity gadget of the user is assigned to the user account; the data storage of the authentication system server component of the main service provider contains a map of personal electronic identity gadgets for each user account, in the said map the records for all personal electronic identity gadgets of the said user in the said data storage are mapped to the said user account, furthermore the map contains the identifiers assigned to the personal electronic identity gadgets of the said user for all service providers and/or the identifiers assigned to the said user for all service providers; the data storage of the authentication system server component of other service provider contains at least the identifiers assigned to personal electronic identity gadgets and/or to users of this other service provider; the data storage of the authentication system server component of other service provider contains a map of personal electronic identity gadgets for each user account, wherein in the said map, the records for all personal electronic identity gadgets of the said user in this data storage are mapped to the said user account, furthermore the map contains the identifiers assigned to the personal electronic identity gadgets of the said user for at least this other service provider and/or the identifier assigned to the said user for at least this other service provider; the data storages and/or the authentication system server components are configured so that the identifiers assigned to the personal electronic identity gadgets assigned to the account of one user and/or identifiers assigned to one user are synchronizable by transmitting synchronization information between the data storages of the authentication system server components and/or between the authentication system server components, directly or via personal electronic identity gadgets.
2. The authentication system according to claim 1 , characterized in that the data storage of the authentication system server component of each service provider contains, for each personal electronic identity gadget of the said user of services, a record with data for authenticating this personal electronic identity gadget, the data storage of the authentication system server component of the main service provider contains a map of personal electronic identity gadgets for each user account, in the said map the records for all personal electronic identity gadgets of the said user in the said data storage are mapped to the said user account, furthermore the map contains identifiers assigned to the personal electronic identity gadgets of the said user for all service providers, wherein a separate identifier is assigned for each personal electronic identity gadget of the said user for each service provider for whom at least one personal electronic identity gadget is registered for the said user account; the data storage of the authentication system server component of other service provider contains a map of personal electronic identity gadgets for each user account, wherein in the said map, the records for all personal electronic identity gadgets of the said user in this data storage are mapped to the said user account, furthermore the map contains the identifiers assigned to the personal electronic identity gadgets of the said user for at least this other service provider (and optionally for further other service providers for whom at least one personal electronic identity gadget is registered for the said user account); the data storages and/or the authentication system server components are configured so that the identifiers assigned to the personal electronic identity gadgets assigned to the account of one user are synchronizable by transmitting synchronization information between the data storages of the authentication system server components and/or between the authentication system server components, directly or via personal electronic identity gadgets.
3. The authentication system according to claim 1 , characterized in that identifiers assigned to the user are mapped to the map of personal electronic identity gadgets for the user account in the data storage of the authentication system server component of the main service provider, wherein a separate identifier is assigned for each service provider for this user; and identifiers of the user assigned at least to another service provider are mapped to the map of personal electronic identity gadgets for the user account in the data storage of the authentication system server component of the said other service provider; wherein a local user identifier is mapped to the map of personal electronic identity gadgets of this user for each service provider.
4. A method of user authentication using a personal electronic identity gadget (PEIG) in the authentication system for use with the said personal electronic identity gadgets of at least one user of services, wherein the said personal electronic identity gadgets are configured to authenticate to a main service provider (for all PEIGs of this service user) and are configured to trigger synchronization of data storages of service providers; wherein the said system comprises a data storage of an authentication system server component of at least one main service provider, wherein the said data storage is synchronizable with data storage(s) of server component(s) of at least one other service provider, either directly or via personal electronic identity gadgets, and wherein the said authentication system server component of the at least one main service provider is configured for mapping personal electronic identity gadgets to the account of the user of services (user account); a data storage of an authentication system server component of at least one other service provider that is synchronizable with the data storage of the authentication system server component of the at least one main service provider, either directly or via personal electronic identity gadget; wherein the method is characterized in that in the data storage of the authentication system server component of the main service provider, a record containing data for authentication of the personal identity gadget is assigned to each personal electronic identity gadget during its registration to the user account; in the data storage of the authentication system server component of the main service provider, the records of all personal electronic identity gadgets assigned to the account of one user of services are mapped to a map of personal electronic identity gadgets for the said user account; and identifiers assigned to all personal electronic identity gadgets of the said user or/and to the said user are mapped to the said map of personal electronic identity gadgets for the said user account, wherein a separate identified is assigned to each personal electronic identity gadget of the said user and/or to the said user for each service provider for whom any personal electronic identity gadget of this user is registered; and when any personal electronic identity gadget of the user is used at least for the first authentication to another service provider, this personal electronic identity gadget connects and authenticates to the main service provider and requests synchronization information from the authentication system server component of the main service provider, said synchronization information containing the map of personal electronic identity gadgets mapped to the said user's account and containing information on identifiers assigned to all personal electronic identity gadgets mapped to the map for at least the said other service provider and/or on identifiers assigned to the said user for at least the said other service provider; then the personal electronic identity gadget transmits this synchronization information to the authentication system server component of the said other service provider, wherein the authentication system server component of the said other service provider uses the synchronization information to amend the map of personal electronic identity gadgets and the information on identifiers in its data storage.
5. The method according to claim 4 , characterized in that in the data storage of the authentication system server component of the main service provider, a record containing data for authentication of the personal identity gadget is assigned to each personal electronic identity gadget; in the data storage of the authentication system server component of the main service provider, the records of all personal electronic identity gadgets assigned to the account of one user of services are mapped to a map of personal electronic identity gadgets for the said user account; and identifiers assigned to all personal electronic identity gadgets of the said user are mapped to the said map of personal electronic identity gadgets for the said user account, wherein a separate identifier is assigned to each personal electronic identity gadget of the said user for each service provider for whom at least one personal electronic identity gadget of this user is registered; and when any personal electronic identity gadget of the user is used at least for the first authentication to another service provider, this personal electronic identity gadget connects and authenticates to the main service provider and requests synchronization information from the authentication system server component of the main service provider, said synchronization information containing the map of personal electronic identity gadgets mapped to the said user's account and containing information on identifiers assigned to all personal electronic identity gadgets mapped to the map for at least the said other service provider for at least the said other service provider; then the personal electronic identity gadget transmits this synchronization information to the authentication system server component of the said other service provider, wherein the authentication system server component of the said other service provider uses the synchronization information to amend the map of personal electronic identity gadgets and the information on identifiers in its data storage.
6. The method according to claim 4 , characterized in that at least at the beginning of the first process of authentication of the personal electronic identity gadget to another service provider, synchronization information is requested and transmitted to the other service provider through the personal electronic identity gadget.
7. The method according to claim 4 , characterized in that when a first personal electronic identity gadget is lost, destroyed or stolen, the user authenticates to the main service provider with another personal electronic identity gadget and enters a command to revoke centrally the first personal electronic identity gadget; the authentication system server component of the main service provider then prepares a synchronization message flagging the first personal electronic identity gadget to be blocked and/or rejected for authentication; this synchronization message is then transmitted via synchronization channels to all other service providers having registered any of the personal electronic identity gadgets mapped to the map of personal electronic identity gadgets of this user; the other service providers use this synchronization message to synchronize the data in the map of personal electronic identity gadgets assigned to this user's account, wherein to identify this first personal electronic identity gadget the other service providers use identifiers assigned to this personal electronic identity gadget and mapped to their maps of personal electronic identity gadgets of this user.
8. The method according to claim 4 , characterized in that when using a personal electronic identity gadget with expired cryptographic material to authenticate to another service provider, the authentication proceeds as a first-time authentication to this other service provider, thus the personal electronic identity gadget connects and authenticates to the main service provider, requests the main service provider to create the synchronization information containing a map of personal electronic identity gadgets and identifiers assigned to all personal electronic identity gadgets mapped to the map for at least this other service provider, and transmits this synchronization information to this other service provider; subsequently after having compared the map of personal electronic identity gadgets saved previously at this other service provider with the newly transmitted map, a new cryptographic material for authenticating this personal electronic identity gadget to this other service provider is created.
9. The method according to claim 4 , characterized in that the authentication system configured to enable entry of an administrator of the main service provider that is authorized to enter a command for central revocation of all personal electronic identity gadgets of this user and/or enter a command to recover the cryptographic material in the personal electronic identity gadget for the main service provider.
10. The method according to claim 4 , characterized in that identifiers assigned for the user are mapped to the map of personal electronic identity gadgets for the user's account in the data storage of the authentication system server component of the main service provider, wherein a separate identifier is assigned for the said user for each service provider having registered at least one personal electronic identity gadget of this user; and mapped to the map of personal electronic identity gadgets for the user's account in the data storage of the authentication system server component of the other service provider are the identifiers assigned to the said user for at least this other service provider; wherein for each service provider, a local user identifier is created that is not transmitted anywhere but is mapped to the map of personal electronic identity gadgets of this user at this service provider, wherein this local user identifier is generated by the relevant service provider at which it is located.
11. The method according to claim 10 , characterized in that in centralized identity verification, the provider of verification services verifies the user identity or the changed user information, e.g. by means of an identification document; wherein if the provider of verification services differs from the main service provider, it transmits the result of the user identity verification or the changed user information to the main service provider; the result of the verification of the user identity or change of user information is transmitted to other service providers as part of synchronization information or during a separate operation of taking over the results of the user identity verification or changed user information together with a user reference identifier for the relevant other service provider, and on the basis of the user reference identifier the result is linked with the relevant local user identifier assigned to the user at this other service provider.
12. The method according to claim 10 , characterized in that a direct transaction between two service providers is performed when a personal electronic identity gadget is connected to one service provider, wherein the relevant local user identifiers mapped to the map of personal electronic identity gadgets for this user are available at data storages of authentication system server components of both service providers; wherein in cooperation between the personal electronic identity gadget and authentication system server components of both service providers, the authentication system server component of the first service provider generates a user one-time identifier which is transmitted to the authentication system server component of the second service provider via personal electronic identity gadget; in data storages of authentication system server components of both service providers, the user one-time identifier is linked with the local identifier of this user; subsequently, application which requires the transaction to be processed at the second service provider requests the completion of the transaction and transmits the transaction parameters and the local user identifier for the second service provider to the authentication system server component of the other service provider; the server component uses the local user identifier to search for the linked user one-time identifier in its data storage and transmits the request to complete the transaction, the transaction parameters and the user one-time identifier to the authentication system server component of the first service provider via direct synchronization channel; the authentication system server component of the first service provider uses the user one-time identifier to find the local user identifier for the first service provider in its data storage and transmits this local user identifier and transaction parameters to the application involved in the transaction at the first service provider; when the transaction is completed, both service providers remove the user one-time identifier from their data storages.
13. Computer program comprising instructions which, when the program is executed by a computer, cause the computer to carry out the steps of the method of claim 4 .
Unknown
June 28, 2022
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.